8.0
高危
2 个模型检测该样本为恶意!
重新分析
更多

e30433e49a720e79dab6dd82e0ebf12b368b4b444e2f20f1cb98e03ba8f35b69

6ed2376a771d4a53e7260c6c7a8c9751.exe

分析耗时

143s

最近分析

文件大小

17.9MB
静态报毒 动态报毒 HIGH SCORE
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190402 0.3.0.4
Tencent 20190405 1.0.0.1
Kingsoft 20190405 2013.8.14.323
McAfee 20190405 6.0.6.653
CrowdStrike 20190212 1.0
静态指标
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1620792420.703205
IsDebuggerPresent
failed 0 0
1620792421.925239
IsDebuggerPresent
failed 0 0
This executable has a PDB path (1 个事件)
pdb_path d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620792422.160239
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1436378739&cup2hreq=b76bce44760cd02c929b3222f34d57fb4d36e632a167288ed93aa0058a240854
Performs some HTTP requests (3 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620762975&mv=m&mvi=1&pl=23&shardbypass=yes
request POST https://update.googleapis.com/service/update2?cup2key=10:1436378739&cup2hreq=b76bce44760cd02c929b3222f34d57fb4d36e632a167288ed93aa0058a240854
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1436378739&cup2hreq=b76bce44760cd02c929b3222f34d57fb4d36e632a167288ed93aa0058a240854
Allocates read-write-execute memory (usually to unpack itself) (43 个事件)
Time & API Arguments Status Return Repeated
1620792394.318875
NtProtectVirtualMemory
process_identifier: 1712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x745e1000
success 0 0
1620792394.443875
NtProtectVirtualMemory
process_identifier: 1712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x747a1000
success 0 0
1620792399.584875
NtProtectVirtualMemory
process_identifier: 1712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a11000
success 0 0
1620792399.584875
NtProtectVirtualMemory
process_identifier: 1712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766c1000
success 0 0
1620792399.584875
NtProtectVirtualMemory
process_identifier: 1712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77691000
success 0 0
1620792408.623469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x745e1000
success 0 0
1620792408.702469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75641000
success 0 0
1620792409.155469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ef1000
success 0 0
1620792409.186469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75331000
success 0 0
1620792409.186469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
1620792415.858469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75401000
success 0 0
1620792417.530469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75c41000
success 0 0
1620792417.530469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75061000
success 0 0
1620792417.639469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76851000
success 0 0
1620792417.764469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c31000
success 0 0
1620792417.764469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c11000
success 0 0
1620792417.780469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73bd1000
success 0 0
1620792417.905469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1620792418.014469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b81000
success 0 0
1620792418.077469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b61000
success 0 0
1620792418.092469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74551000
success 0 0
1620792418.233469
NtProtectVirtualMemory
process_identifier: 1436
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75401000
success 0 0
1620792413.571656
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73c21000
success 0 0
1620792413.634656
NtAllocateVirtualMemory
process_identifier: 520
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00940000
success 0 0
1620792413.634656
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009d0000
success 0 0
1620792413.790656
NtProtectVirtualMemory
process_identifier: 520
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73bb1000
success 0 0
1620792413.821656
NtAllocateVirtualMemory
process_identifier: 520
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x002d0000
success 0 0
1620792413.821656
NtAllocateVirtualMemory
process_identifier: 520
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00310000
success 0 0
1620792420.703205
NtProtectVirtualMemory
process_identifier: 1832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75380000
success 0 0
1620792420.719205
NtProtectVirtualMemory
process_identifier: 1832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x747a1000
success 0 0
1620792421.391205
NtProtectVirtualMemory
process_identifier: 1832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a91000
success 0 0
1620792421.406205
NtProtectVirtualMemory
process_identifier: 1832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a71000
success 0 0
1620792421.437205
NtProtectVirtualMemory
process_identifier: 1832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75061000
success 0 0
1620792421.562205
NtProtectVirtualMemory
process_identifier: 1832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ac1000
success 0 0
1620792421.925239
NtProtectVirtualMemory
process_identifier: 3080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75380000
success 0 0
1620792422.035239
NtProtectVirtualMemory
process_identifier: 3080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73aa1000
success 0 0
1620792422.160239
NtProtectVirtualMemory
process_identifier: 3080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a91000
success 0 0
1620792422.160239
NtProtectVirtualMemory
process_identifier: 3080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75401000
success 0 0
1620792422.254239
NtProtectVirtualMemory
process_identifier: 3080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75061000
success 0 0
1620792422.285239
NtProtectVirtualMemory
process_identifier: 3080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74201000
success 0 0
1620792422.285239
NtProtectVirtualMemory
process_identifier: 3080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75831000
success 0 0
1620792422.285239
NtProtectVirtualMemory
process_identifier: 3080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75841000
success 0 0
1620792422.285239
NtProtectVirtualMemory
process_identifier: 3080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74571000
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 个事件)
Time & API Arguments Status Return Repeated
1620792417.498469
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19371581440
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620792421.422205
GetDiskFreeSpaceW
root_path: c:\
sectors_per_cluster: 8
number_of_free_clusters: 4728821
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
Creates executable files on the filesystem (50 out of 61 个事件)
file c:\6f882da044bc763bfc76d56c80b9076b\install.res.1031.dll
file c:\6f882da044bc763bfc76d56c80b9076b\install.res.1042.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\NDde.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\OdsSptr.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\ChartCenter.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\Newtonsoft.Json.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartLive.msi
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\StreamHubClient.DLL
file c:\6f882da044bc763bfc76d56c80b9076b\install.res.1028.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\Live.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartLib.TickerForm.DLL
file c:\6f882da044bc763bfc76d56c80b9076b\vc_red.msi
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\OdsSptr.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\System.Windows.Forms.DataVisualization.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChart MetaLib.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartLib.TickerDrawing.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\SandBar.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\log4net.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\SandDock.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChart_TV7QS_ar.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\ChartControl.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\Newtonsoft.Json.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\System.Windows.Forms.DataVisualization.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\SandBar.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\Live.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\Winros.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\LitJson.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\SandDock.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\CacheServer.Client.Ms.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\CacheServer.Client.Ms.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\ICSharpCode.SharpZipLib.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\LitJson.DLL
file c:\6f882da044bc763bfc76d56c80b9076b\install.res.1041.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\SdkOdsMs.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartLib.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TenTec.Windows.iGridLib.iGrid.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\AutocompleteMenu.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\setup.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartInd.dll
file c:\6f882da044bc763bfc76d56c80b9076b\install.res.2052.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\vcredist_x86\vcredist_x86.exe
file c:\6f882da044bc763bfc76d56c80b9076b\install.res.1033.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VSDDA4D.tmp\DotNetFX\dotnetchk.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\ICSharpCode.SharpZipLib.DLL
file c:\6f882da044bc763bfc76d56c80b9076b\install.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\SdkOdsMs.dll
file c:\6f882da044bc763bfc76d56c80b9076b\install.res.3082.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TenTec.Windows.iGridLib.iGPrintManager.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\OfficePickers.DLL
file c:\6f882da044bc763bfc76d56c80b9076b\install.res.1036.dll
Creates hidden or system file (1 个事件)
Time & API Arguments Status Return Repeated
1620792421.734205
NtCreateFile
create_disposition: 2 (FILE_CREATE)
file_handle: 0x00000184
filepath: c:\6f882da044bc763bfc76d56c80b9076b\$shtdwn$.req
desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES|DELETE|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\c:\6f882da044bc763bfc76d56c80b9076b\$shtdwn$.req
create_options: 4192 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_DELETE_ON_CLOSE)
status_info: 2 (FILE_CREATED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
success 0 0
Drops a binary and executes it (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\setup.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VSDDA4D.tmp\DotNetFX\dotnetchk.exe
Drops an executable to the user AppData folder (32 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\ChartControl.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\setup.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartInd.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartLiveDataPlugin.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartLib.TickerDrawing.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartLib.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\OfficePickers.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartLib.TickerForm.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\OdsSptr.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\NDde.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\AutocompleteMenu.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\SandBar.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VSDDA4D.tmp\DotNetFX\dotnetchk.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\ChartCenter.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\SdkOdsMs.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\log4net.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\Winros.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\Live.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\StreamHubClient.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TenTec.Windows.iGridLib.iGPrintManager.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TenTec.Windows.iGridLib.iGrid.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\System.Windows.Forms.DataVisualization.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\ICSharpCode.SharpZipLib.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChart_TV7QS_ar.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\SandDock.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\Newtonsoft.Json.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\LitJson.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartLive.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChartTextBox.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\CacheServer.Client.Ms.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\vcredist_x86\vcredist_x86.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\TickerChartLive\TickerChartLive\TickerChart MetaLib.DLL
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1620792412.217469
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VSDDA4D.tmp\DotNetFX\dotnetchk.exe
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\VSDDA4D.tmp\DotNetFX\dotnetchk.exe
show_type: 0
success 1 0
1620792419.873469
ShellExecuteExW
parameters: /q:a
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\VSDDA4D.tmp\vcredist_x86\vcredist_x86.exe
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\VSDDA4D.tmp\vcredist_x86\vcredist_x86.exe
show_type: 0
success 1 0
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)
Trapmine malicious.high.ml.score
Cybereason malicious.6459b1
Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 个事件)
Time & API Arguments Status Return Repeated
1620792422.285239
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620792422.597239
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1620792422.597239
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1620792422.597239
LookupPrivilegeValueW
system_name:
privilege_name: SeMachineAccountPrivilege
success 1 0
1620792422.597239
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1620792422.597239
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620792422.597239
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1620792422.597239
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1620792422.613239
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1620792422.613239
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620792422.613239
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620792422.613239
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620792422.613239
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1620792422.613239
LookupPrivilegeValueW
system_name:
privilege_name: SeEnableDelegationPrivilege
success 1 0
1620792422.613239
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1620792422.613239
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 203.208.41.33
Resumed a suspended thread in a remote process potentially indicative of process injection (4 个事件)
Process injection Process 1436 resumed a thread in remote process 520
Process injection Process 1436 resumed a thread in remote process 1832
Time & API Arguments Status Return Repeated
1620792412.217469
NtResumeThread
thread_handle: 0x00000288
suspend_count: 1
process_identifier: 520
success 0 0
1620792419.873469
NtResumeThread
thread_handle: 0x00000444
suspend_count: 1
process_identifier: 1832
success 0 0
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2013-08-22 21:00:50

Imports

Library COMCTL32.dll:
Library SHLWAPI.dll:
0x427288 SHAutoComplete
Library KERNEL32.dll:
0x427064 ReadFile
0x427068 GetFileAttributesW
0x42706c SetFileAttributesW
0x427070 FindNextFileW
0x427074 GetFullPathNameW
0x427078 GetModuleFileNameW
0x42707c FindResourceW
0x427080 GetModuleHandleW
0x427084 FreeLibrary
0x427088 GetProcAddress
0x42708c LoadLibraryW
0x427090 GetCurrentProcessId
0x427094 GetLocaleInfoW
0x427098 GetNumberFormatW
0x4270a0 WaitForSingleObject
0x4270a8 GetDateFormatW
0x4270ac GetTimeFormatW
0x4270b8 GetExitCodeProcess
0x4270bc GetTempPathW
0x4270c0 MoveFileExW
0x4270c4 Sleep
0x4270c8 UnmapViewOfFile
0x4270cc MapViewOfFile
0x4270d0 GetCommandLineW
0x4270d4 CreateFileMappingW
0x4270d8 GetTickCount
0x4270e0 OpenFileMappingW
0x4270e4 CreateThread
0x4270f4 ReleaseSemaphore
0x4270f8 ResetEvent
0x427100 SetEvent
0x427104 SetThreadPriority
0x42710c CreateEventW
0x427110 CreateSemaphoreW
0x427118 GetSystemTime
0x427120 WideCharToMultiByte
0x427124 MultiByteToWideChar
0x427128 CompareStringW
0x42712c IsDBCSLeadByte
0x427130 FindFirstFileW
0x427134 GetFileType
0x42713c WriteConsoleW
0x427140 GetConsoleOutputCP
0x427144 WriteConsoleA
0x427148 SetStdHandle
0x42714c GetLocaleInfoA
0x427150 GetStringTypeW
0x427154 GetStringTypeA
0x427158 LoadLibraryA
0x42715c GetConsoleMode
0x427160 GetConsoleCP
0x42716c SetHandleCount
0x427180 LCMapStringW
0x427184 LCMapStringA
0x427188 IsValidCodePage
0x42718c GetOEMCP
0x427190 GetACP
0x427194 GetModuleFileNameA
0x427198 ExitProcess
0x42719c HeapSize
0x4271a0 IsDebuggerPresent
0x4271ac TerminateProcess
0x4271b0 VirtualAlloc
0x4271b4 VirtualFree
0x4271b8 HeapCreate
0x4271c0 GetCurrentThreadId
0x4271c8 TlsFree
0x4271cc TlsSetValue
0x4271d0 TlsAlloc
0x4271d4 TlsGetValue
0x4271d8 GetStartupInfoA
0x4271dc GetCommandLineA
0x4271e0 RaiseException
0x4271e8 SetEndOfFile
0x4271ec SetFilePointer
0x4271f0 GetStdHandle
0x4271f4 WriteFile
0x4271f8 FlushFileBuffers
0x4271fc GetLongPathNameW
0x427200 MoveFileW
0x427204 GetShortPathNameW
0x427208 CreateDirectoryW
0x42720c RemoveDirectoryW
0x427210 GlobalAlloc
0x427214 DeleteFileW
0x427218 FindClose
0x42721c CreateFileW
0x427220 DeviceIoControl
0x427224 SetFileTime
0x427228 GetCurrentProcess
0x42722c CloseHandle
0x427230 CreateHardLinkW
0x427234 SetLastError
0x427238 GetLastError
0x427240 CreateFileA
0x427244 GetCPInfo
0x427248 HeapAlloc
0x42724c HeapReAlloc
0x427250 HeapFree
0x427254 RtlUnwind
Library USER32.dll:
0x427290 EnableWindow
0x427294 ShowWindow
0x427298 GetDlgItem
0x42729c MessageBoxW
0x4272a0 FindWindowExW
0x4272a4 GetParent
0x4272a8 MapWindowPoints
0x4272ac CreateWindowExW
0x4272b0 UpdateWindow
0x4272b4 LoadCursorW
0x4272b8 RegisterClassExW
0x4272bc DefWindowProcW
0x4272c0 DestroyWindow
0x4272c4 CopyRect
0x4272c8 IsWindow
0x4272cc CharUpperW
0x4272d0 OemToCharBuffA
0x4272d4 LoadIconW
0x4272d8 PostMessageW
0x4272dc GetSysColor
0x4272e0 SetForegroundWindow
0x4272e4 WaitForInputIdle
0x4272e8 IsWindowVisible
0x4272ec DialogBoxParamW
0x4272f0 DestroyIcon
0x4272f4 SetFocus
0x4272f8 GetClassNameW
0x4272fc SendDlgItemMessageW
0x427300 EndDialog
0x427304 GetDlgItemTextW
0x427308 SetDlgItemTextW
0x42730c wvsprintfW
0x427310 SendMessageW
0x427314 GetDC
0x427318 ReleaseDC
0x42731c PeekMessageW
0x427320 GetMessageW
0x427324 TranslateMessage
0x427328 DispatchMessageW
0x42732c LoadStringW
0x427330 GetWindowRect
0x427334 GetClientRect
0x427338 SetWindowPos
0x42733c GetWindowTextW
0x427340 SetWindowTextW
0x427344 GetSystemMetrics
0x427348 GetWindow
0x42734c GetWindowLongW
0x427350 SetWindowLongW
0x427354 LoadBitmapW
Library GDI32.dll:
0x427040 GetDeviceCaps
0x427044 CreateCompatibleDC
0x427048 GetObjectW
0x427050 SelectObject
0x427054 StretchBlt
0x427058 DeleteDC
0x42705c DeleteObject
Library COMDLG32.dll:
0x427030 GetSaveFileNameW
0x427038 GetOpenFileNameW
Library ADVAPI32.dll:
0x427000 RegOpenKeyExW
0x427004 RegQueryValueExW
0x427008 RegCreateKeyExW
0x42700c RegSetValueExW
0x427010 RegCloseKey
0x427014 SetFileSecurityW
0x427018 OpenProcessToken
Library SHELL32.dll:
0x427264 SHChangeNotify
0x427268 SHGetFileInfoW
0x42726c SHGetMalloc
0x427278 SHBrowseForFolderW
0x42727c ShellExecuteExW
0x427280 SHFileOperationW
Library ole32.dll:
0x42735c CLSIDFromString
0x427360 CoCreateInstance
0x427364 OleInitialize
0x427368 OleUninitialize
Library OLEAUT32.dll:
0x42725c VariantInit

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49215 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49216 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49207 203.208.40.66 update.googleapis.com 443
192.168.56.101 49214 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=30df0a2ce1eef9e1&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620762975&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=30df0a2ce1eef9e1&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620762975&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620762975&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620762975&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.